The Facts
Man provides credit card number and PIN codes to online scammers
The case of a man who fell victim to a phishing scam reads as a textbook example of cyber fraud. The man received an email inviting him to participate in an online cash survey. The email contained a web link and instructions to click on the link to complete the survey.
As part of the survey, the man was asked to provide his credit card number, which he did. Unbeknownst to him, by doing so, he made this information available remotely to the scammers who had sent him the email.
The fraudsters then asked the man to enter one-off PIN codes sent by his financial services provider to his mobile phone, which he did.
Transactions made using credit card details
This enabled the scammers to make transactions using the man’s credit card. These transactions totalled over $5,000 and were with merchants outside Australia.
When the man’s financial services provider denied liability for the losses, he lodged a dispute with the Financial Ombudsman Service, which had to determine whether he was liable.
Expert commentary on the court's decision
Financial Ombudsman Service finds customer not liable for his losses
In a case study reported in its 2017-18 annual review, the Financial Ombudsman Service (now renamed the Australian Financial Complaints Authority, or AFCA) found in favour of the customer. (See Case study – Passcodes disclosed mistakenly in scam transactions, Financial Ombudsman Service Annual Review 2017-18, p.91.)
Disputes over electronic transactions under the ePayments Code
The ePayments Code stipulates that if there is a dispute over an electronic transaction, it is up to the financial services provider (FSP) to prove one of two things.
The first is that the customer authorised the payment by making the payment himself or herself, or by having someone else carry out the transaction with his or her knowledge or consent.
The second is that if the customer claims not to have authorised the payment, the FSP has to prove that he or she breached certain security provisions of the ePayments Code and is therefore liable for the transaction.
Customer found to be not in breach of the ePayments Code
The Financial Ombudsman Service (FOS) found that the customer, identified only as “Mr H”, did not intend to divulge his passcodes to anyone and that he did not know they were meant to be kept secret. Mr H’s argument that he thought he was merely responding to a survey was found to be valid and convincing.
Because Mr H was found not to have disclosed his passcodes voluntarily, it was determined that he did not contribute to his losses under the ePayments Code.
Additional compensation for stress and inconvenience
Mr H had limited liability of $150 for his losses. The FSP was liable to reimburse him for the remaining sum.
In addition, the FSP had to pay Mr H $250 to compensate him for the stress and inconvenience he experienced due to the FSP sending him several text messages referring to his “liability” for the transactions after he referred the dispute to the FOS.
What is a phishing scam?
A phishing scam is an attempt by a criminal to trick you into divulging personal information such as credit card numbers, passwords and PIN codes in order to steal your money. The tale of Mr H above is a classic case of a successful phishing scam.
Many phishing scams target their intended victims via email, although other approaches are also used, such as text messages, phone calls and social media.
Some phishing emails claim to be from a legitimate organisation such as a bank or internet service provider. Some, like the one that duped Mr H, claim to be offering a prize for participating in a survey.
How can you avoid phishing scams and stay smart online?
The way to minimise your chances of being “phished” is to remain vigilant and be aware of the techniques that scammers use to try to trick you into divulging details that they can use to rob you.
How can you tell when an email you receive is part of a phishing scam?
There are several details that could alert you that you have received an email that is part of a phishing scam.
The most important thing to remember is not to click on any links or download any attachments from an email if you have even the faintest shadow of a doubt about its validity.
If in doubt, ring the sender of the email
If you receive an email claiming to be from your bank, telephone company, internet service provider, lawyer, accountant or conveyancing company, and you’re not 100 per cent confident that the email is genuine, there is a simple way to verify its legitimacy.
To eliminate any doubt, just pick up the phone and give them a call on the phone number that you would usually use to call them (don’t use a phone number that appears in the email).
Australians losing increasing sums to scammers
Despite the efforts of the government to warn us, many Australians continue to fall victim to scams. Collectively we lost nearly $500 million during 2018 – a substantial increase on the previous year.
As technology advances and systems become ever more sophisticated in the attempt to prevent fraud, scammers become increasingly ingenious in their efforts to rob us.
Human error remains the weakest link in the chain. According to recent figures, human error and compromised credentials make up 67 per cent of reported data breaches. (See Human error the leading cause of data breaches, Casey Tonkin, Information Age, 29 August 2019.)
Mr H in the case described above was fortunate. He was compensated for his losses because the FOS found in his favour. Others in a similar position may not be so lucky.
Being aware of scams and remaining vigilant is your best defence.
For more information please see the articles below.
Protect yourself against payment redirection scams
Business email compromise scams conning Australians out of millions
“I lost my money in a cryptocurrency scam. My financial firm should have warned me.” Which case won?
Useful resources about scams
Stay Smart Online Week – this national awareness week for online safety is run in October each year. Stacks Law Firm is a Supporting Partner of this important initiative.
Scamwatch – website run by the Australian Competition and Consumer Commission (ACCC) which publishes regular updates about scams. You can sign up on this website to receive email alerts about new and current scams.
Phishing – this page describes in detail what phishing is and how it works.
Whaling and spear phishing – this page describes phishing scams that target businesses.